1Password Bug Bounty CTF

We introduced a $1 million CTF bug bounty challenge in 2022 to further our commitment to providing an industry-leading security platform for individuals, families, and businesses.

  • Safe harbor
Submit report

Program stats

  • Vulnerabilities rewarded 0
  • Validation within 5 minutes 75% of submissions are accepted or rejected within 5 minutes

Latest hall of famers

The hall of fame is empty.

Recently joined this program

18 total

AgileBits/1Password introduced a $1 million CTF bug bounty challenge in 2022 to further our commitment to providing an industry-leading security platform for individuals, families, and businesses.

Other Security Research Opportunities

This program is strictly dedicated to our $1 million CTF. If you’re interested in conducting general security research against all areas of the 1Password product, check out our main bug bounty program here: bugcrowd.com/agilebits

Submissions to this program should only be related to capturing the flag.

Get started

This version of Capture the Flag is unique. There are no known vulnerabilities that will award you access to the flag; there’s no starting point, nor a guaranteed reward.

The target (flag): Bad poetry in the form of secure note.
The location: A dedicated Bug Bounty CTF account (bugbounty-ctf.1password.com).

Send an email to bugbounty@agilebits.com and include your Bugcrowd username. You'll receive access to the Bug Bounty CTF account that contains more information.

You should only be submitting to the program if you believe you have captured the flag or are close to capturing the flag. Only valid submissions that detail the steps used to capture the flag are eligible to earn the $1 million reward.

Get help

Start with the 1Password Security Design white paper, and pay particular attention to the section titled Beware of the Leopard (page 68). It explains the decisions and considerations behind the 1Password security design. We’ve also created a tool to help you investigate 1Password.com requests and responses with your own session key.

  • We don’t accept or permit phishing, malware, or compromising 1Password member accounts.
  • For information about the internal API, general questions, and to submit partial reports and theories, please send an email to bugbounty@agilebits.com so we can collaborate, provide support, and offer appropriate guidance.
  • We’re happy to answer general questions via email but won’t provide direct assistance to capture the flag.
  • Assistance isn’t guaranteed for complex and/or time-consuming requests.
  • We’ll accept flaw-hypothesis submissions without penalty, and work with you to develop a reasonable hypothesis when possible.
  • Access to the Bug Bounty CTF account is intentionally limited to the scope of the CTF competition. We recommend using a different account for general bug bounty program research.

Scope

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

Learn more about Bugcrowd’s VRT.